Publicly Routable DMZ for Microsoft Lync 2010 Edge Servers

Reply
Highlighted
L0 Member

Publicly Routable DMZ for Microsoft Lync 2010 Edge Servers

Hello all,

I'm hoping you can help me with a problem that has me stumped.  I'm trying to configure our PA 5020 to support a Microsoft Lync 2010 server edge environment being load balanced by an F5.  Per Microsoft, in order to do this the IP addresses on the edge servers must be publicly routable and cannot employ NAT.  Currently, my external interface is configured with a 63.x.x.x/24 address/netmask.  We have two DMZ's 10.11.107.1/24 and 10.11.113.1/24 respectively that are taking advantage of NAT's.  We have 16 addresses in all that we need to make publicly routable, currently configured to be 63.x.x.120-135.  I thought that I could setup a new interface as a public DMZ but was unable to as the IP address ranges on the two interfaces overlapped, so the commit failed.  I'm somewhat of a networking novice but I'm pretty sure trying to put those devices in the 107 DMZs won't work as they'll have the wrong gateway address and won't route.

I'm really stumped as to how I can accomplish this without NAT's.

Any help would be greatly appreciated.

Rob Z                    ,

Highlighted
L6 Presenter

To sum it up:

External: 63.x.x.x/24

DMZ1: 10.11.107.1/24

DMZ2: 10.11.113.1/24

I assume the range at External is a public range handed over to you by your ISP?

This is what I would do:

1) Setup a linknet between your PA and your ISP, for example:

PA: 10.0.0.1/30

ISP: 10.0.0.2/30

2) Instruct your ISP to route that 63.x.x.x/24 with nexthop 10.0.0.1 (or whatever IP your PA end up with).

3) Set your PA to use 10.0.0.2 (or whatever IP your ISP will use) as default gateway.

Now you can setup parts of 63.x.x.x/24 directly on interfaces on your PA aswell as NAT the other IP's to the DMZ's using private IP's (DMZ1 and DMZ2).

So you would end up with (just an example):

External: 10.0.0.1/30 (10.0.0.1 is IP at PA, routed 63.x.x.x/24)

DMZ1: 10.11.107.1/24 (10.11.107.1 is IP at PA, 10.11.107.0-255)

DMZ2: 10.11.113.1/24 (10.11.113.1 is IP at PA, 10.11.113.0-255)

DMZ3: 63.0.0.113/28 (63.0.0.113 is IP at PA, 63.0.0.112-127)

NAT1: 63.0.0.1 -> 10.11.107.2 (or whatever)

NAT2: 63.0.0.44 -> 10.11.113.5 (or whatever)

But if possible I would start to use this range from two sides. Like NATed IPs from the lower part and routed IPs from the higher part (or the other way around =)

Like so:

External: 10.0.0.1/30 (10.0.0.1 is IP at PA, routed 63.x.x.x/24 from ISP)

DMZ1: 10.11.107.1/24 (10.11.107.1 is IP at PA, 10.11.107.0-255)

DMZ2: 10.11.113.1/24 (10.11.113.1 is IP at PA, 10.11.113.0-255)

DMZ3: 63.0.0.241/28 (63.0.0.241 is IP at PA, 63.0.0.240-255)

NAT1: 63.0.0.1 -> 10.11.107.2 (or whatever)

NAT2: 63.0.0.2 -> 10.11.113.5 (or whatever)

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!